Best way to connect 2 offices

[bobcpg]

I have one office already setup (HQ) with a simple network and domain running W2K Server. We just purchased another office (Site A) about 2 miles away. I want to connect Site A to HQ so that the windows clients can authenticate/share files/printers with HQ from Site A.

What is the best way to do this? I am thinking about just getting 2 Netgear VPN appliances and setting up a dedicated VPN between the two. My question is: Will AD be able to authenticate and will the users be able to get to network shares through the VPN?

I have some knowledge of networking as I took all the CCNA classes about 3 years ago, never took the test though. From what I have read both networks should be on different subnets but other than that is it going to be that easy?

 

[her209]

Yup. Just make sure the DNS server points to the DC in the HQ or run a second DC that is local to the Site A and have the two DCs replicate through the VPN tunnel. If users will be pulling files across the VPN tunnel, it may be a little slow depending on the Internet connection and VPN encryption/decryption capabilities of the site-to-site VPN devices.

 

[JackMDS]

The "Best Modern Way" is to use a Windows 2008 R2 server as a Direct Access Server.

http://technet.microsoft.com/e.../network/dd420463.aspx

However given what you have now you would need to spend a lot of money for new systems.

So given your situation, there is No best way, but Best compromise, which is probably the VPN solution that you mentioned.

It Bidirectional, more secure, more flexible, and takes less than VPN it takes less bandwidth.

In order

 

[bobcpg]

Do you know if the Netgear VPN appliances should serve as my internet router or will/should it be behind the main router?

 

[hanoverphist]

ive got similar needs as well, any links to decent hardware to accomplish this? and at the "HQ" location, would you still need the existing router/ network or would the vpn hw replace it all?

 

[imagoon]

Depends heavily on what your goals and expected performance is.

#1 File access will be slow. There is not much you can do about that without more hardware.
#2 Admins often miss setting up AD properly for multiple sites. AD Sites and Services is important.


Way to connect the buildings:

Point to point. Expensive but stable. Can often support IP phones etc to allow SITE A to share the PBX at HQ.

MPLS Less Expensive but often stable. Same as above.

VPN via public Internet. Often unstable (in the sense of latency and packet loss) only provides a link up the the current "upload" of the connection. So 2 DSL 1.5 MB / 768k connections on both ends will result in a 768k connection. Cheaper VPN devices can't handle routing internet well so you might have to load SITE A internet through HQ. This can be useful or a pain. Depends on your needs.

Devices that work well: Juniper SSG5's for smaller networks. Cisco 1800 series routers can do it also (i think) and I think have an encryption offload card. Bigger stuff is needed to handle bigger connections obviously. Juniper SSG140 is an example of the next step up.

I can't really recommend anything however as you left out critical things like, number of users at each site, Internet link up speeds/services, *budgets*

Connecting site A to HQ when both have say business cable and 50 users at each site is very different than if Site A is 3 people. 3 People might survive on cheapo netgear VPN devices. (Too cheap and tempermental for me though.) Juniper SSG5 is about the cheapest I go for.

 

[drebo]

Two NetVanta 3120s will do an IPSEC site-to-site VPN easily and are cheaper than the equivalent Cisco ASA5505. If you have line-of-sight between them (common in suburbia), you may also consider a wireless bridge. It'll be more expensive, but it'll be faster and you'll be able to cancel the internet connection at one of the locations.

 

[hanoverphist]

I can't really recommend anything however as you left out critical things like, number of users at each site, Internet link up speeds/services, *budgets*

Connecting site A to HQ when both have say business cable and 50 users at each site is very different than if Site A is 3 people. 3 People might survive on cheapo netgear VPN devices. (Too cheap and tempermental for me though.) Juniper SSG5 is about the cheapest I go for.

HQ in my case will be 4 users, site A would be a single user logging in to do financial type stuff, very light load.

 

[Crusty]

Sounds like a job for two business class connections + VPN between them IMO. You could probably get your ISP to do the entire setup for you.

 

[imagoon]

HQ in my case will be 4 users, site A would be a single user logging in to do financial type stuff, very light load.

In your case then I would definitely be ok with "cheap" because one user is going to be pretty low load. In this case the cheap netgear routers on each end could work out well. If the load is really light you might be able to get away with a cheap "business line" at site A vpn connected to the HQ line that already exists.

Depending on how many "files" the user accesses however it might be worth dropping a computer out there to be a "server" with Windows 2k3 R2 or 2k8 R2 using DFS-R. This might sound like overkill but it also gives you the ability to off site data in the case of a building fire (at either end) etc. It also gets the data on the network so the Site A person isn't storing it all on his or her laptop. Small companies seem to rarely think about business continuity and would be in trouble in a total loss situation.

This of course requires a budget of 1500 - $2000 (US) which might scare tiny companies away. I take that as them telling me their data is worth less than $1500 though.

 

[Jamsan]

How about setting up a computer (virtual machine, physical machine or terminal services) and have the person at Site A connect into the main network via a VPN connection (traditional client IPSec, SSL, etc. - not a site to site) and have them access their PC that way. That way, all of the files are the main location and can easily be backed up. With slower connections, it's inevitable that the person will start storing files locally, which will just be bad for DR and from a security standpoint.

 

[bobcpg]

HQ has about 10 users and one W2K8 server. SITE A will have about 7 users. All users will be using Quick books and a customer record piece of software that will need a constant connection to the server. Budget I would say is around $800 to spend on site to site VPN equipment.

Big questions is; Once I have the VPN setup between the two sites can I still forward windows clients VPN access to the server? ie. Will forwarding RRAS VPN access to the W2k8 server through the VPN routers cause site to site VPN issues?

 

[imagoon]

HQ has about 10 users and one W2K8 server. SITE A will have about 7 users. All users will be using Quick books and a customer record piece of software that will need a constant connection to the server. Budget I would say is around $800 to spend on site to site VPN equipment.

Big questions is; Once I have the VPN setup between the two sites can I still forward windows clients VPN access to the server? ie. Will forwarding RRAS VPN access to the W2k8 server through the VPN routers cause site to site VPN issues?

Typically you use a separate IP address for bridges. However, if you are using PPTP VPNs you should still be able to terminate an IPSEC vpn while forwarding a PPTP VPN pretty easily. You can still terminate IPSEC VPNs with IPSEC clients but it is a bit more work. I personally always let the VPN servers / concentrators / interfaces have their own because it is one less thing to have break and more IP's is often easy and cheap.

One thing I will note. Quickbooks may not run well on a WAN link. It moves a decent amount of data during reports and the like and you might find the performance pretty poor for just 1 user remotely. Multiply that x 10 and I am not sure you will have a satisfactory running system. Intuit forums pretty much says "use VNC" or "Logmein / gotomypc" both of which can also trash a WAN link. The other customer system I can't comment on because I don't know the characteristics of the program.

 

[bobcpg]

imagoon - Thanks for the response it was very helpful, especially about Quick Books.

Another Question: If I were to make the Netgear VPN appliance just a node on the HQ network and connect it to another WAN IP, would I need to just create a STATIC ROUTE on the HQ's network default gateway to point all SITE A ip traffic to the Netgear VPN appliance for correct routing?

 

[RebateMonger]

Running Quickbooks with multiple users across a VPN is likely to be very slow and could be prone to file corruption. The "standard" way of running Quickbooks remotely is to use Terminal Services or its equivalent. Although Intuit doesn't support TS with the non-Enterprise version of QB, everybody does it.

Quickbooks Support: Compatibility of different network types with Quickbooks:

http://support.quickbooks.intuit.com/support/pages/knowledgebasearticle/1001473

Recommended Network Types:

Local Area Network (LAN): A network that connects computers in close proximity (usually within a building) with a "hard" cable.
Compatibility: QuickBooks is designed to work with LANs.

Other Network Types:

Terminal Service Network: A network setup in which users run the QuickBooks program on a server computer using a "terminal session" on a remote computer.
Compatibility: A Terminal Service Network environment is only supported for QuickBooks Enterprise Solutions.

Virtual Private Network (VPN): A network in which computers are connected over long distances across the public Internet using an encrypted "tunnel".
Compatibility: Not recommended. QuickBooks is not designed to work with VPNs."

 

[imagoon]

imagoon - Thanks for the response it was very helpful, especially about Quick Books.

Another Question: If I were to make the Netgear VPN appliance just a node on the HQ network and connect it to another WAN IP, would I need to just create a STATIC ROUTE on the HQ's network default gateway to point all SITE A ip traffic to the Netgear VPN appliance for correct routing?

You can do it with statics. For a small company with only one site you can make it work.

You would create a new ip range at the other side. Build the tunnel with the VPN device. On the remote side set gateway of last resort to the local HQ VPN device or to the HQ side gateway.

*this varies on how the VPN is built. Juniper uses the tunnel to make the 'HQ' network show up as an interface on the 'remote side' so you can just set it to the HQ gateway address and the packets make it there. You can also point it at the HQ VPN device and let it handle routing. I personally use a remote gateway of last resort -> VPN device. Mine however participates in a BGP routing group so it knows all the other gateways to the rest of the LAN and WANs and can route smartly because of it. You can acomplish the same with a static route in the 'HQ' VPN device pointing at the gateway.

In your internet router you set up a static route to send all requests for the remote network to the VPN bridge. It is rare that you only set up 1 static route remember.

Lots of text for something that is actually pretty easy >.<